Malware Development Basics

SJU ACM STUDENT CHAPTER

Sign In Form:

Disclaimer

BEfore We Begin

• This lab is for educational purposes ONLY
• You’re going to learn how basic malware is written, as well as concepts employed.
• Do not attempt to use the knowledge you learn here to perform any malicious actions

Logging In to the Lab Machines

1. Reboot the machine
2. When given the option between “Lab/Classroom” and “Closed Network” choose “Closed Network”
3. Login to the machine:
1. Username: student
2. Password: Security2021
4. Open Virtualbox, There should be a machine called “sju acm mal dev”
5. do not start the machine yet
6. Passw0rd!

The basics

What is Malware?

• Cisco Defines malware As:
• Intrusive software that is designed to damage and destroy computers, systems and networks.
• Malware = Malicious Software
• Sometimes the goal is to damage systems, but very often the goal is actually to gain access to a system or network.

Types of malware

• droppers
• The most basic form of malware. Used solely to “drop” another piece of software/malware onto the target machine
• Trojans
• Malware that disguises itself as a legit program
• spyware
• Collects info about the user without their knowledge
• Ransomware
• Holds files or even an entire system hostage until a ransom is paid

Why learn to write malware?

• how could you possibly have an ethical reason for learning to write malware?
• pentesting / red teaming
• malware extends beyond what you may think. Payloads and implants that are commonly used during pentests and red team engagements are also commonly considered forms of malware
• better understanding for defenSe
• Its very hard to defend against something if you don't understand how it works

PE files

What is a PE?

• Portable Executable
• OS loader can read this file format and load it into memory as a process

File On Disk

Process In Memory

PE Format (cont.)

• Complicated
• Essentially, a PE is a “book” that contains “data” and “metadata”

Headers

Sections

What is a dropper?

• “Drops” some sort of payload onto the target machine
• Shellcode

​

Payload storage

• Where to store payloads?
• 3 important sections
• Each has its own benefits and drawbacks
• .text = Within a function
• .data = Within a global variable
• .rsrc = As a separate file stored within the PE

​

.text

.data

.rsrc

Function call Obfuscation

• Calling External Functions
• Detection Based on imported DLLs and functions
• GetModulehandle and getprocaddress
• ex:
• handle = getmodulehandle(“sound.dll”)
• getprocaddress(handle, “playsound”)

​

Code Injection

• A method of transferring your payload from one process to another
• Escape from a short live process
• Establish a backup c2 channel (toon “two is one, one is none”)

​

Classic method:

• Shellcode Injection
• Phase 1: Copy shellcode to target process (You must have correct access)
• Phase2: Make the target process execute the shellcode

Dropper.exe

​

Payload

Iexplorer.exe

​

Payload

Code Injection (CONT.)

Dropper.exe

Shellcode

Explorer.exe

Code Injection (CONT.)

Dropper.exe

Shellcode

Explorer.exe

Empty Buffer

“AllocateMemory”

Code Injection (CONT.)

Dropper.exe

Shellcode

Explorer.exe

Shellcode

“Copy Shellcode”

Code Injection (CONT.)

Dropper.exe

Shellcode

Explorer.exe

Shellcode

“ExecuteShellcode”

Code injection (cont.)

• Most popular method:
• VirtualAllocex
• writeprocessmemory
• createremotethread

​

Thank you!